Re: Tested?
Agreed, their app needs to be thoroughly tested, and they should be able to prove that.
However, it's very unclear how the app relates to this fraud. As far as I can see, from Bob Sullivan's and others' articles on the issue, it's all through their online account at starbucks.com. Miscreants obtain login credentials via phishing emails or a variety of other means, and there's a chance those credentials work on starbucks.com (or many other popular sites!) because many people re-use the same username and password. Not much Starbucks can do for stupid people, although they can educate the ignorant. And that applies to any other site where a similar transaction is possible.
This (from the article) is complete nonsense:
Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.
The most that would do is slow the crook down a few seconds, since if they have access to your account, they can quickly turn that feature on and proceed to auto-charge your credit card. Perhaps what he really means is "Don't store your credit card info in your starbucks.com account so that auto-reload is not available". Then the most the crook can steal is your current Starbuck's card balance.
Any site where you have your credit card or bank details stored which can pay for anything other than, for example, your monthly electricity bill, must have a strong and unique password. Even if you get your stolen money back, it's still a big hassle. (And in this case, Starbucks should be refunding every single reported fraudulent charge -- they have a record of all the gift cards to which those fraudulent charges were sent, after all, and can invalidate the cards.)